Re: why it was not capturing exact bytes given in tcpdump -s

[Guy Harris <guy () alum mit edu>]

On Jan 16, 2006, at 1:33 AM, Latha G wrote:

> I had given  "tcpdump -c 1 -s 40 > file",  after that i checked the  
> file
> size using "ls -l file",
> what i got the file size is some 83 bytes.

There are several issues here.

For one thing, as you didn't use the "-w" option:

        tcpdump -c 1 -s 40 -w file

what tcpdump is writing to the file is *NOT* raw packet data, it's a  
printout of a dissection of the packet's data.  There is *NO*  
guarantee that the number of characters of text that

        tcpdump -c 1 -s 40 > file

will write to "file" has any connection to the size of the packet it  
captures.

And even if you use "-w", a libpcap-format file includes more than  
just the raw packet data; it includes a file header, 24 bytes long,  
giving information such as the type of link-layer header in the  
packets in the file (Ethernet, Token Ring, 802.11, FDDI, PPP, etc.),  
and it includes, for each packet, a per-packet header, 16 bytes long,  
giving the packet time stamp and length information for the packet.

Furthermore:

> It was varying from time to time
> i executed the tcpdump, some times the file size is 232 bytes,  
> anyway i am
> getting the captured bytes to be other than the given snaplen bytes.
> The -s option is to capture snaplen bytes of data . Then why it was  
> not
> capturing exactly the bytes given?

...the "-s" option is *NOT* to capture exactly "snaplen" bytes of  
data.  It's to save *no more than* "snaplen" bytes of data; it will  
not pad the packet to "snaplen" if it's shorter than "snaplen", it'll  
just cut the packet data short if it's *longer* than "snaplen".
-
This is the tcpdump-workers list.
Visit https://lists.sandelman.ca/ to unsubscribe.